Perspective: Curbing data use is key to reining in NSA

Proposed legislation and rules focus mostly on curbing data collection activities, not on controlling use of personal data

Any effort to rein in the National Security Agency (NSA) after its widespread spy activities were revealed last summer in leaked documents must focus on more than simply limiting what personal data can be collected.

The key to maintaining some semblance of privacy for ordinary citizens is to limit how any data about them collected by the spy agency is used.

In the months since Edward Snowden began leaking to the press classified documents detailing NSA surveillance activities, there's been a flurry of calls for new restrictions on how much data can be collected and few calling for limits how any data collected can be used.

Since the classified documents were exposed in June, federal lawsuits challenging the NSA's collection of phone metadata records have been filed in New York and Washington D.C. Such lawsuits face difficulties as the U.S. Supreme Court this week declined, without explanation, to hear a similar petition filed by the Electronic Privacy Information Center.

Also, several U.S. lawmakers have proposed legislation to curtail some NSA surveillance activities while adding transparency to those that remain. For instance, a bipartisan bill dubbed the USA Freedom Act, seeks to end the agency's call records collection program and make the secret FISA courts that oversee NSA surveillance requests more accountable to the public.

Meanwhile, Google, Yahoo and others have fueled new efforts to block the NSA's apparently systematic efforts to weaken encryption standards and to harvest data by allegedly tapping their data links.

Many see such efforts as fundamental to curbing the NSA's apparently insatiable appetite for collecting data under the aegis of counter-terrorism. After all, the NSA cannot misuse data that it doesn't have.

But even if all attempts at curbing the NSA's data collection activities are successful, abundant data would still be collected with few limits on how it's used.

The NSA is currently building a massive, $1.53 billion data center near Salt Lake City that it says will be able to to store and process exabytes of data -- call records, social media interactions, Internet conversations, search related data and other information culled from around the world.

It's inconceivable that all of this data is related to potential terrorist activity.

Therefore, the most important question should be: What does the NSA do with all the data it collects?

The spy agency should be required disclose its rules for handling collected data, who it can be shared with, who can access it, how its analyzed and the processes for data deletion.

The NSA insists that multiple controls are already in place to prevent misuse of the data it collects. It generally points first to the secret FISA court an example of oversight of its activities.

NSA director Keith Alexander and James Clapper, U.S. Director of National Intelligence, both maintain that the spy agency's sole focus is on detecting and deterring national security threats. The program is not designed to snoop on innocent Americans, they say.

In a keynote address at the Black Hat security conference in July, Alexander insisted that the agency does not routinely listen in on phone calls, monitor email content or collect personal data of U.S. or foreign citizens.

Alexander said only 22 NSA officials can authorize such searches and only 35 of several thousand NSA analysts can run queries on collected data. Each query must be related to an anti-terror investigation and is fully auditable, he said.

However, such claims cannot be verified. The NSA, and other government officials, claiming national security grounds, have to date stymied attempts to obtain such details about ongoing spy programs.

Meanwhile, NSA Inspector General George Ellard earlier this year said he found at least 12 substantiated instances where NSA analysts misused data access privileges to spy on spouses, boyfriends and girlfriends. The IG's report also cited multiple violations of rules in place for handling collected data.

Though the report cited relatively few instances, and none especially serious, it does suggest that the NSA doesn't oversee the activities as closely as its leaders claim.

There's also little disclosure on how data collected by the NSA is used by other federal agencies, such as the FBI and the U.S. Department of Homeland Security.

The McClatchy newspaper company's Washington bureau reported this week that data collected by the DHS' Customs and Border Protection agency in connection with a probe of two individuals allegedly teaching others how to beat lie detector tests was shared with nearly 30 federal agencies.

The report said that some 4,900 people in the Internal Revenue Service, the NSA, the CIA, DHS and other agencies accessed the data, which included names, Social Security Numbers, addresses and professions.

Officials from multiple agencies confirmed receiving the list to determine whether any employee had obtained the documents before taking a lie detector test. Many agencies planned to retain the list for future use, the McClatchy report said.

Controlling how NSA-collected data is used should be the most important objective of lawmakers, said Fred Cate, professor of law at the Indiana University Maurer School of Law. Cate filed filed an amicus brief in support of the EPIC Supreme Court petition.

"There will almost always be a legitimate reason to collect sensitive data," said Cate. "The challenge is to ensure that data collected for one purpose is not used for other purposes."

The Supreme Court has repeatedly ruled that the Fourth Amendment applies only to collection of data, not its use, Cate noted. The high court has ruled that "even information that illegally seized by the government can be used for other purposes."

Therefore, the onus is on Congress to impose limits on data use by the NSA and other agencies, he said. Even then, Cate noted, "we apparently will have to trust that the government is following the law."

Steve Vladeck, professor of law and associate Dean for scholarship at the American University Washington College of Law is confident that some use restrictions in bills currently pending before Congress will be adopted.

"Reasonable people can disagree about whether the government should be collecting all of this data and yet still agree that there should be far greater, and harsher, constraints on when the government can actually access or otherwise utilize that data," Vladeck said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is

Read more about cyberwarfare in Computerworld's Cyberwarfare Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gov't Legislation/RegulationNational Security AgencyregulationsecuritycyberwarfarensagovernmentprivacyU.S. Supreme Court

More about College of LawElectronic Privacy Information CenterFBIFredFreedomGoogleInternal Revenue ServiceLakeNational Security AgencyNSATopicTwitterYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts